Security Issue : List of users are displayed without login authentication

[GoogleCodeExporter]

What steps will reproduce the problem?
1. install yii-user on a standard yii installation
2. Browse to  <site>/index.php?r=user
3. Displays list of users present in the system

What is the expected output? What do you see instead?

Ideally I would expect only Admin user to see the list of all users. If not,  
atleast the DefaultController should expect one to authenticate before 
presenting the list of users.

What version of the product are you using? On what operating system?

yii-user-0.3-r69 and yii-1.1.5.r2654  / Linux 

Please provide any additional information below.

would be helpful if Index and View operations of Users can be restricted to 
Admins via module configuration or some other means

Original issue reported on code.google.com by rames...@gmail.com on 31 Dec 2010 at 4:01

[GoogleCodeExporter]

coming soon

Original comment by mish...@gmail.com on 9 Feb 2011 at 4:30

• Changed state: Accepted
• Added labels: Type-Enhancement
• Removed labels: Type-Defect

[GoogleCodeExporter]

I agree, list of users should be visible only for admin by default. But we 
already have 'manage' action, so I dont know, need we anotherone list of users 
or not.

Original comment by vitaliy.step on 28 Feb 2011 at 2:33

[GoogleCodeExporter]

hello, i just observed thesame thing in my YII ModuleUser. I could see List 
Users without login. I believe this is security issues because a user should be 
authenticated before he can see Manage users or user profiles fields etc... 

Original comment by netmax.n...@gmail.com on 10 Jan 2012 at 2:42

[GoogleCodeExporter]

Hi, I wrote this workaround to allow only admin to view the list of users.

Original comment by evitul...@gmail.com on 21 Mar 2012 at 11:10

Attachments:

• yii-user-list.diff

[GoogleCodeExporter]

Thank you for the above notice and patch.

I conducted some further testing and after applying the above patch the 
following URL still exposes user information.

<site>/index.php/user/user/view/id/1

Therefore I found it necessary to also apply the above patch into 
UserController.php in the actionView() method.

    /**
     * Displays a particular model if current user is Admin.
     */
    public function actionView()
    {
        if (Yii::app()->user->isGuest) {
            //redirect to login if guest
            $this->redirect(Yii::app()->controller->module->loginUrl);
        } else {
            if (Yii::app()->getModule('user')->isAdmin()) {
                $model = $this->loadModel();
                $this->render('view',array(
                    'model'=>$model,
                ));
            } else {
                throw new CHttpException(403, "You are not authorized to perform that.");
            }
        }
    }

I also updated actionIndex() here as well.

    /**
     * Lists all registred user not banned, if current user is Admin.
     */
    public function actionIndex()
    {
        if (Yii::app()->user->isGuest) {
            //redirect to login if guest
            $this->redirect(Yii::app()->controller->module->loginUrl);
        } else {
            if (Yii::app()->getModule('user')->isAdmin()) {
        $dataProvider=new CActiveDataProvider('User', array(
            'criteria'=>array(
                'condition'=>'status>'.User::STATUS_BANNED,
            ),
            'pagination'=>array(
                'pageSize'=>Yii::app()->controller->module->user_page_size,
            ),
        ));

        $this->render('index',array(
            'dataProvider'=>$dataProvider,
        ));
            } else {
                throw new CHttpException(403, "You are not authorized to perform that.");
    }
        }
    }

Cheers!

Original comment by Supercha...@gmail.com on 21 Apr 2013 at 1:45